in_ebpf: Add vfs trace

[cosmo0920]

VFS also provides eBPF entrypoints so we can provide this type of traces.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

$ sudo bin/fluent-bit -i ebpf -ptrace=trace_vfs -o stdout 

• Debug log output from testing the change

Fluent Bit v5.0.0
* Copyright (C) 2015-2025 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _           _____  _____           _            
|  ___| |                | |   | ___ (_) |         |  ___||  _  |         | |           
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   _|___ \ | |/' |______ __| | _____   __
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / /   \ \|  /| |______/ _` |/ _ \ \ / /
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V //\__/ /\ |_/ /     | (_| |  __/\ V / 
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/ \____(_)\___/       \__,_|\___| \_/


[2026/03/17 14:19:46.866] [ info] Configuration:
[2026/03/17 14:19:46.866] [ info]  flush time     | 1.000000 seconds
[2026/03/17 14:19:46.866] [ info]  grace          | 5 seconds
[2026/03/17 14:19:46.866] [ info]  daemon         | 0
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  inputs:
[2026/03/17 14:19:46.866] [ info]      ebpf
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  filters:
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  outputs:
[2026/03/17 14:19:46.866] [ info]      stdout.0
[2026/03/17 14:19:46.866] [ info] ___________
[2026/03/17 14:19:46.866] [ info]  collectors:
[2026/03/17 14:19:46.866] [ info] [fluent bit] version=5.0.0, commit=d758d4212e, pid=2490979
[2026/03/17 14:19:46.867] [debug] [engine] coroutine stack size: 24576 bytes (24.0K)
[2026/03/17 14:19:46.867] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2026/03/17 14:19:46.867] [ info] [simd    ] SSE2
[2026/03/17 14:19:46.867] [ info] [cmetrics] version=2.0.2
[2026/03/17 14:19:46.867] [ info] [ctraces ] version=0.7.0
[2026/03/17 14:19:46.867] [ info] [input:ebpf:ebpf.0] initializing
[2026/03/17 14:19:46.867] [ info] [input:ebpf:ebpf.0] storage_strategy='memory' (memory only)
[2026/03/17 14:19:46.867] [debug] [ebpf:ebpf.0] created event channels: read=21 write=22
[2026/03/17 14:19:46.867] [debug] [input:ebpf:ebpf.0] initializing eBPF input plugin
[2026/03/17 14:19:46.867] [debug] [input:ebpf:ebpf.0] processing trace: trace_vfs
[2026/03/17 14:19:46.867] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_vfs
[2026/03/17 14:19:46.888] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_vfs
[2026/03/17 14:19:46.890] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_vfs
[2026/03/17 14:19:46.890] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_vfs
[2026/03/17 14:19:46.890] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_vfs
[2026/03/17 14:19:46.890] [debug] [input:ebpf:ebpf.0] setting up collector with poll interval: 1000 ms
[2026/03/17 14:19:46.890] [ info] [input:ebpf:ebpf.0] eBPF input plugin initialized successfully
[2026/03/17 14:19:46.890] [debug] [stdout:stdout.0] created event channels: read=37 write=38
[2026/03/17 14:19:46.891] [ info] [sp] stream processor started
[2026/03/17 14:19:46.891] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2026/03/17 14:19:46.891] [ info] [output:stdout:stdout.0] worker #0 started
[2026/03/17 14:19:47.203] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/03/17 14:19:47.203] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_vfs
[2026/03/17 14:19:47.203] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_vfs
[2026/03/17 14:19:48.203] [debug] [task] created task=0x714da4070990 id=0 OK
[2026/03/17 14:19:48.203] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2026/03/17 14:19:48.203] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/03/17 14:19:48.203] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_vfs
[0] ebpf.0: [[1773724787.203364419, {}], {"event_type"=>"vfs", "pid"=>982, "tid"=>982, "comm"=>"iio-sensor-prox", "operation"=>0, "path"=>"/dev/iio:device5", "flags"=>2048, "mode"=>0, "fd"=>8, "error_raw"=>0}]
[1] ebpf.0: [[1773724787.203467824, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/2487125/cgroup", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[2] ebpf.0: [[1773724787.203479856, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/1/cgroup", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[3] ebpf.0: [[1773724787.203489011, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/2487125/stat", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[4] ebpf.0: [[1773724787.203497971, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[5] ebpf.0: [[1773724787.203506275, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[6] ebpf.0: [[1773724787.203514271, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>26, "error_raw"=>0}]
[7] ebpf.0: [[1773724787.203522448, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"sys", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[8] ebpf.0: [[1773724787.203530298, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"class", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[9] ebpf.0: [[1773724787.203538071, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"backlight", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[10] ebpf.0: [[1773724787.203546552, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"intel_backlight", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[11] ebpf.0: [[1773724787.203554624, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"..", "flags"=>2818048, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[12] ebpf.0: [[1773724787.203562754, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"..", "flags"=>2818048, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[13] ebpf.0: [[1773724787.203570724, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"devices", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[14] ebpf.0: [[1773724787.203578495, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"pci0000:00", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[15] ebpf.0: [[1773724787.203586334, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"0000:00:02.0", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[16] ebpf.0: [[1773724787.203594098, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"drm", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[17] ebpf.0: [[1773724787.203601901, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"card1", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[18] ebpf.0: [[1773724787.203609786, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"card1-eDP-1", "flags"=>2752512, "mode"=>0, "fd"=>27, "error_raw"=>0}]
[19] ebpf.0: [[1773724787.203617596, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"intel_backlight", "flags"=>2752512, "mode"=>0, "fd"=>22, "error_raw"=>0}]
[20] ebpf.0: [[1773724787.203625391, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/proc/self/fd/22", "flags"=>2621696, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[21] ebpf.0: [[1773724787.203633258, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/sys/devices/pci0000:00/0000:00:02.0/drm/card1/card1-eDP-1/intel_backlight/uevent", "flags"=>524544, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[22] ebpf.0: [[1773724787.203641625, {}], {"event_type"=>"vfs", "pid"=>1004, "tid"=>1004, "comm"=>"systemd-logind", "operation"=>0, "path"=>"/run/udev/data/+backlight:intel_backlight", "flags"=>524288, "mode"=>0, "fd"=>11, "error_raw"=>0}]
[23] ebpf.0: [[1773724787.203649333, {}], {"event_type"=>"vfs", "pid"=>2490983, "tid"=>2490983, "comm"=>"(sd-bright)", "operation"=>0, "path"=>"/dev/null", "flags"=>524290, "mode"=>0, "fd"=>3, "error_raw"=>0}]
[24] ebpf.0: [[1773724787.203657159, {}], {"event_type"=>"vfs", "pid"=>2490983, "tid"=>2490983, "comm"=>"(sd-bright)", "operation"=>0, "path"=>"/sys/devices/pci0000:00/0000:00:02.0/drm/card1/card1-eDP-1/intel_backlight/brightness", "flags"=>655617, "mode"=>0, "fd"=>4, "error_raw"=>0}]
[25] ebpf.0: [[1773724787.203664982, {}], {"event_type"=>"vfs", "pid"=>1517883, "tid"=>1517883, "comm"=>"systemd-udevd", "operation"=>0, "path"=>"/run/udev/queue", "flags"=>2752512, "mode"=>0, "fd"=>-2, "error_raw"=>2}]
[26] ebpf.0: [[1773724787.203673033, {}], {"event_type"=>"vfs", "pid"=>1517883, "tid"=>1517883, "comm"=>"systemd-udevd", "operation"=>0, "path"=>"/run/udev/queue", "flags"=>524481, "mode"=>420, "fd"=>16, "error_raw"=>0}]
[27] ebpf.0: [[1773724787.203680813, {}], {"event_type"=>"vfs", "pid"=>2486417, "tid"=>2486417, "comm"=>"(udev-worker)", "operation"=>0, "path"=>"/run/udev/data/+backlight:intel_backlight", "flags"=>524288, "mode"=>0, "fd"=>18, "error_raw"=>0}]
[2026/03/17 14:19:48.204] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_vfs
[28] ebpf.0: [[1773724787.203688796, {}], {"event_type"=>"vfs", "pid"=>2486417, "tid"=>2486417, "comm"=>"(udev-worker)", "operation"=>0, "path"=>"/", "flags"=>2686976, "mode"=>0, "fd"=>18, "error_raw"=>0}]

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • Added VFS event tracing to capture file system operations, including openat syscalls
  • Captures operation details: file path, flags, mode, file descriptor, and error information
  • Supports mount namespace filtering

• Documentation

  • Updated configuration examples to include the new VFS tracing option

[coderabbitai]

📝 Walkthrough

Walkthrough

This change introduces VFS (Virtual File System) event tracing to the eBPF plugin. It adds new event type definitions for VFS operations, an eBPF program to capture openat syscalls, and handler functions to encode and forward VFS events to Fluent Bit for logging.

Changes

Cohort / File(s)	Summary
VFS Event Type Definitions plugins/in_ebpf/traces/includes/common/events.h, plugins/in_ebpf/traces/includes/common/encoder.h, plugins/in_ebpf/in_ebpf.c	Added EVENT_TYPE_VFS enum value, struct vfs_event with fields (operation, path, flags, mode, fd, error_raw), VFS_PATH_MAX constant, and vfs union member to event structure. Extended event_type_to_string to handle VFS type. Updated documentation example traces list.
VFS Handler and Integration plugins/in_ebpf/traces/vfs/handler.h, plugins/in_ebpf/traces/vfs/handler.c, plugins/in_ebpf/traces/traces.h	Added trace_vfs handler registration, encode_vfs_event and trace_vfs_handler functions to encode VFS events for Fluent Bit, and integrated trace_vfs skeleton into trace table.
VFS eBPF Program plugins/in_ebpf/traces/vfs/bpf.c	Implemented eBPF program tracing openat syscalls via sys_enter_openat and sys_exit_openat tracepoints; captures file operation details, applies mount namespace filtering, stores per-thread arguments, and submits complete event records.

Sequence Diagram

sequenceDiagram
    participant Kernel as Kernel
    participant eBPF as eBPF Program
    participant Handler as VFS Handler
    participant FluentBit as Fluent Bit

    Kernel->>eBPF: sys_enter_openat(filename, flags, mode)
    eBPF->>eBPF: Store args in per-thread map (tid)
    
    Kernel->>eBPF: sys_exit_openat(return_code)
    eBPF->>eBPF: Lookup tid in values map
    eBPF->>eBPF: Build event (timestamp, pid, uid, gid,<br/>mntns_id, cmd, operation, path,<br/>flags, mode, fd, error_raw)
    eBPF->>Handler: Submit event via gadget_submit_buf
    
    Handler->>Handler: encode_vfs_event: Begin log record
    Handler->>Handler: Append common fields
    Handler->>Handler: Append VFS fields<br/>(operation, path, flags,<br/>mode, fd, error_raw)
    Handler->>FluentBit: Append encoded event to input
    Handler->>Handler: Reset encoder

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A new trace hops into view,
VFS opens paths both old and new,
From kernel syscalls to logs so bright,
File operations captured just right! 📝✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'in_ebpf: Add vfs trace' clearly and directly summarizes the main change: adding VFS trace support to the in_ebpf plugin, which is the primary objective of the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cosmo0920-add-vfs-traces

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

plugins/in_ebpf/traces/vfs/handler.c (3)

10-12: Unused ins parameter.

The ins parameter is declared but never used in encode_vfs_event. Either remove it to match the actual interface needs, or use it for debug/error logging (e.g., flb_plg_debug(ins, ...)).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.c` around lines 10 - 12, The parameter
`ins` in the function `encode_vfs_event` is unused; either remove `ins` from the
function signature and update all declarations/call sites (prototypes and
callers of `encode_vfs_event`) to match, or use it for diagnostic logging (e.g.,
call `flb_plg_debug(ins, ...)` inside `encode_vfs_event`) and keep the
parameter; ensure the chosen approach keeps function prototypes in headers and
callers consistent and rebuilds without unused-parameter warnings.

---

27-36: Consider encoding operation as a human-readable string.

The operation field is encoded as an int32 (the raw enum value). For consistency with event_type which is encoded as a string (e.g., "vfs"), consider encoding operation as "openat" rather than 0. This improves log readability without requiring downstream consumers to map enum values.

♻️ Example: Add operation-to-string helper

static inline const char *vfs_op_to_string(enum vfs_op op) {
    switch (op) {
        case VFS_OP_OPENAT: return "openat";
        default: return "unknown";
    }
}

Then use flb_log_event_encoder_append_body_cstring(log_encoder, vfs_op_to_string(ev->details.vfs.operation)).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.c` around lines 27 - 36, Replace the
integer encoding of the VFS operation with a human-readable string: add a helper
function (e.g., vfs_op_to_string(enum vfs_op op)) that maps enum values (use
cases like VFS_OP_OPENAT) to strings, then call
flb_log_event_encoder_append_body_cstring(log_encoder,
vfs_op_to_string(ev->details.vfs.operation)) instead of
flb_log_event_encoder_append_body_int32; preserve the existing error handling by
checking the return for FLB_EVENT_ENCODER_SUCCESS and calling
flb_log_event_encoder_rollback_record(log_encoder) and returning -1 on failure.

---

101-106: Type aliasing via struct field ordering is fragile.

The cast of void *ctx to struct trace_event_context * is currently safe because flb_in_ebpf_context has ins and log_encoder as its first two fields in matching order. However, this design implicitly relies on struct field layout rather than explicit typing. If flb_in_ebpf_context fields are ever reordered, all handlers (signal, malloc, bind, vfs) will silently break.

Consider a wrapper function or type-safe callback mechanism to avoid this fragility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.c` around lines 101 - 106, The handler
currently casts void *ctx to struct trace_event_context in trace_vfs_handler,
relying on flb_in_ebpf_context and trace_event_context having matching
first-field layout (ins, log_encoder) which is fragile; change the callback API
or add a small, type-safe wrapper that accepts the real flb_in_ebpf_context* and
extracts/forwards a properly built struct trace_event_context (or provides
accessor functions for log_encoder) so handlers (trace_vfs_handler and the other
handlers: signal, malloc, bind) no longer perform unsafe casts; update handler
registrations to call the new wrapper/adapter so code uses explicit types
instead of relying on struct field ordering.

plugins/in_ebpf/traces/vfs/handler.h (1)

1-12: Header is not self-contained: missing type declarations.

The header declares encode_vfs_event with parameters of type struct flb_input_instance * and struct flb_log_event_encoder *, but neither type is forward-declared nor included. This could cause compilation errors if this header is included before the Fluent Bit headers.

Consider adding forward declarations:

♻️ Proposed fix to add forward declarations

 `#ifndef` VFS_HANDLER_H
 `#define` VFS_HANDLER_H
 
 `#include` <stddef.h>
 `#include` "common/events.h"
 
+struct flb_input_instance;
+struct flb_log_event_encoder;
+
 int trace_vfs_handler(void *ctx, void *data, size_t data_sz);
 int encode_vfs_event(struct flb_input_instance *ins,
                      struct flb_log_event_encoder *log_encoder,
                      const struct event *ev);
 
 `#endif`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/vfs/handler.h` around lines 1 - 12, The header
declares encode_vfs_event with parameters using struct flb_input_instance and
struct flb_log_event_encoder but does not forward-declare them or include their
headers; add forward declarations for "struct flb_input_instance;" and "struct
flb_log_event_encoder;" near the top of this header (before the prototype for
encode_vfs_event) so the declarations of trace_vfs_handler and encode_vfs_event
compile when this header is included independently.

plugins/in_ebpf/traces/includes/common/events.h (1)

8-8: Consider path truncation implications.

VFS_PATH_MAX = 256 is relatively small compared to the system PATH_MAX (typically 4096). Long paths will be truncated during bpf_probe_read_user_str. This is likely intentional to keep event size manageable in BPF ring buffers, but worth documenting or logging when truncation occurs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/in_ebpf/traces/includes/common/events.h` at line 8, VFS_PATH_MAX is
set to 256 which will cause long user paths to be truncated when read with
bpf_probe_read_user_str; update the implementation that reads paths (calls to
bpf_probe_read_user_str) to detect truncation by checking the returned length
and set a truncation indicator in the event (add or reuse a flag/field in the
event struct) or increase VFS_PATH_MAX if you want to preserve full paths, and
add a brief comment next to the VFS_PATH_MAX macro documenting the truncation
behavior and reasoning; reference the VFS_PATH_MAX macro and the call sites that
use bpf_probe_read_user_str to implement the detection and flagging.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/in_ebpf/traces/vfs/bpf.c`:
- Line 1: The SPDX header and the kernel-facing LICENSE string in the BPF file
are inconsistent (SPDX says "LGPL-2.1 OR BSD-2-Clause" while the kernel-facing
string declares "Dual BSD/GPL"); decide on the intended license and make both
declarations match across this file and all BPF files: update the SPDX
identifier at the top to the chosen SPDX expression and update the kernel-facing
license string (the BPF module's LICENSE string constant, e.g., the "LICENSE"
char[] used by the BPF program) to the equivalent kernel-facing wording (e.g.,
"GPL" or "Dual BSD/GPL") so they are consistent. Ensure you apply the same
change to every BPF source file in the project.

---

Nitpick comments:
In `@plugins/in_ebpf/traces/includes/common/events.h`:
- Line 8: VFS_PATH_MAX is set to 256 which will cause long user paths to be
truncated when read with bpf_probe_read_user_str; update the implementation that
reads paths (calls to bpf_probe_read_user_str) to detect truncation by checking
the returned length and set a truncation indicator in the event (add or reuse a
flag/field in the event struct) or increase VFS_PATH_MAX if you want to preserve
full paths, and add a brief comment next to the VFS_PATH_MAX macro documenting
the truncation behavior and reasoning; reference the VFS_PATH_MAX macro and the
call sites that use bpf_probe_read_user_str to implement the detection and
flagging.

In `@plugins/in_ebpf/traces/vfs/handler.c`:
- Around line 10-12: The parameter `ins` in the function `encode_vfs_event` is
unused; either remove `ins` from the function signature and update all
declarations/call sites (prototypes and callers of `encode_vfs_event`) to match,
or use it for diagnostic logging (e.g., call `flb_plg_debug(ins, ...)` inside
`encode_vfs_event`) and keep the parameter; ensure the chosen approach keeps
function prototypes in headers and callers consistent and rebuilds without
unused-parameter warnings.
- Around line 27-36: Replace the integer encoding of the VFS operation with a
human-readable string: add a helper function (e.g., vfs_op_to_string(enum vfs_op
op)) that maps enum values (use cases like VFS_OP_OPENAT) to strings, then call
flb_log_event_encoder_append_body_cstring(log_encoder,
vfs_op_to_string(ev->details.vfs.operation)) instead of
flb_log_event_encoder_append_body_int32; preserve the existing error handling by
checking the return for FLB_EVENT_ENCODER_SUCCESS and calling
flb_log_event_encoder_rollback_record(log_encoder) and returning -1 on failure.
- Around line 101-106: The handler currently casts void *ctx to struct
trace_event_context in trace_vfs_handler, relying on flb_in_ebpf_context and
trace_event_context having matching first-field layout (ins, log_encoder) which
is fragile; change the callback API or add a small, type-safe wrapper that
accepts the real flb_in_ebpf_context* and extracts/forwards a properly built
struct trace_event_context (or provides accessor functions for log_encoder) so
handlers (trace_vfs_handler and the other handlers: signal, malloc, bind) no
longer perform unsafe casts; update handler registrations to call the new
wrapper/adapter so code uses explicit types instead of relying on struct field
ordering.

In `@plugins/in_ebpf/traces/vfs/handler.h`:
- Around line 1-12: The header declares encode_vfs_event with parameters using
struct flb_input_instance and struct flb_log_event_encoder but does not
forward-declare them or include their headers; add forward declarations for
"struct flb_input_instance;" and "struct flb_log_event_encoder;" near the top of
this header (before the prototype for encode_vfs_event) so the declarations of
trace_vfs_handler and encode_vfs_event compile when this header is included
independently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7c94e461-090b-4b89-af70-3048b1e612b3

📥 Commits

Reviewing files that changed from the base of the PR and between 81eb49f and d758d42.

📒 Files selected for processing (7)

• plugins/in_ebpf/in_ebpf.c
• plugins/in_ebpf/traces/includes/common/encoder.h
• plugins/in_ebpf/traces/includes/common/events.h
• plugins/in_ebpf/traces/traces.h
• plugins/in_ebpf/traces/vfs/bpf.c
• plugins/in_ebpf/traces/vfs/handler.c
• plugins/in_ebpf/traces/vfs/handler.h